Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it Even Possible to Remove Malware from an .exe File?


  • Please log in to reply
14 replies to this topic

#1 evanexempt

evanexempt

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 07 April 2015 - 07:34 PM

This question has to have been asked (or alluded to) at some point in the history of this virus-conscious community. But none of my searches turned up any such threads, so I am going to take the liberty of starting two threads in one day. #TopicHog

 

OK, I am really not a programmer, and I may ask what seem like very stupid questions, make some very ignorant assumptions... Please bear with me. 

 

Is it possible for a very skilled programmer to break open (decompile?) an executable-install file and remove malware? And then recompile the whole mess of code and have it still function properly... The question is this: CAN YOU CLEAN A DIRTY INSTALL FILE AND SALVAGE IT, SO THAT YOUR FRIEND CAN HAVE A CLEAN INSTALL?

 

 

I have provided the following conditions to accompany my question:

 

  • The malware has been previously identified and successfully thwarted. (i.e., you have loaded the exe file onto your machine; your machine became infected, but you isolated the threat and identified it as a common browser hijacker. You also have logs of its system-level activities from point of installation to the point of eradicatifon.)
  • The malware has no inherently destructive capabilities. (i.e., it is not a wipeware or anything aggressively malicious, just a predictable browser hijacker or toolbar bug.)
  • The malware does not otherwise interfere with or compromise the integrity of the desired software. (i.e., the .exe has no apparent problems aside from the fact that your Chrome browser has become suddenly compromised. The desired software appears to be intact and function normally -- from which we can infer that its code has not been disturbed)
  • However, no mal/adware was able to be detected on the .exe file upon preemtive scan by several reputable anti-malware applications.(i.e., the bug has itself very well hidden in the install file. Even though it is fairly easy to detect kill [with the right weapons] once it is out, it seems to have been clevery embedded in the .exe file containing the desired software.) 

 

Did that make sense?  No?

 

OK, Hypothetical Story Time! :)

 

Jim is a programmer who decides he wants a particular version of software called Goodware v7.x. Goodware is great program but it is a bit esoteric, is made in Central Asia somewhere, and is only available from third-party download sites. For this reason, Jim is a little worried. (But not too worried because Jim is a skilled hacker who pwns any malicious digibyte that dare step to him.)

 

Not terribly worried, Jim scans the Goodware install file with several anti-malware applications: MonkeyVirus, AlphaVirus, and MileyVirus -- all come up as "No threats detected", so Jim installs Goodware .exe on his machine. 

 

Once Goodware is installed and Jim has used the software to do a few good things to his hard drive, he goes to his Chrome browser to check his email and BAM! He realizes that his Chrome browser has been hijacked by a mal that has set his homepage to Badware.tk.

 

OH NO!  What does Jim do?

 

Well, Jim looks over his logs, peruses some keyword searches for Badware.tk on his phone, deletes a few system files and registry entries, executes a few line comands, runs AlphaVirus again, unin/reinstalls his Chrome browser, restarts his machine, runs Goodware (which still works perfectly, sans virus), confirms that the malware has been eradicated, and *poof*, it's all fixed (because Jim knows what he is doing.) 

 

But Jim wants to give a copy of Goodware to his boyfriend, Thomas. Thomas works on custom cars for a living, is not a computer expert, and probably wouldn't know what to do if Badware attacked his five-year-old computer. 

 

Since Goodware is fairly hard to come by, and this bug seemed easy enough to kill, Hacker Jim wonders if it might be possible to actually extract the Badware from the executable file before giving it to Thomas.  

 

My QUESTION redux:

 

Would it really be worth for Jim the trouble of trying to fish the Badware out of the Goodware install file?

 

What if Jim was fully aware that it would be much safer and probably faster to just go find another copy of Goodware from a different host, but he is now curious and obsessed with this idea:  'COULD I POSSIBLY PURGE THE INSTALL FILE MANUALLY?'

 

The point I am getting at is this: If someone had some skills and was really obsessed with the process, no matter how impracticle it might be, would it even be feasibly possible to remove a known threat from a common-format installation file before transmitting it to a less savvy friend?

 

(Maybe one of these framings makes some sense?... Hopefully.)

 

This relates indirectly to my earlier post suggesting the adoption of a clean installation of Irfanview on the Bleeping downloads section

 

I will hog no more topics today. Thank you for reading. 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:57 AM

Posted 07 April 2015 - 07:49 PM

Is it possible for a very skilled programmer to break open (decompile?) an executable-install file and remove malware?


It is, yes. It would be easier to do if this executable was his and he had direct access to the source code. So he could clean it, then re-compile it without the malicious code. Might not be possible for every executables. And also, I've never really seen anyone bothering doing that. It's just easier to find another clean executable than going throught the hassle of doing all that. If a download isn't clean, you don't use it, simple as that. Hence why a lot of programs host their own downloads or use official and recognized mirors.

I expect Didier to jump in this thread and give us full theory on the subject :P

Edited by Aura., 07 April 2015 - 07:53 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 evanexempt

evanexempt
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 AM

Posted 07 April 2015 - 09:31 PM

Thank you, Aura!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 08 April 2015 - 04:37 AM

Even an anti-virus will attempt to clean an infected file before quarantine/delete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:57 AM

Posted 08 April 2015 - 05:17 AM

No problem evan, my pleasure :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 10 April 2015 - 02:36 PM

Yes, this is possible.

 

Many anti-virus programs do this actually, when they clean a file. So when an executable is infected with a file-infector (that is malware that attaches itself to a file), in most cases, anti-virus can clean it (e.g. remove the attached malware).

 

If the original EXE has a digital signature, you can even check if the removal was successful, by checking the digital signature. With malware, the signature will be invalid, and without, it will be valid.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:57 AM

Posted 10 April 2015 - 03:01 PM

So basically, all what Jim would have to do is to scan the bundled file against an Antivirus which could "clean" that file to remove the malware and then pass it along to his friend? However, will it work on bundled installers? The Antivirus should have PUP detection and also detect that file, obviously.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 10 April 2015 - 05:42 PM

No, bundled installers are different. There was no "clean" file that was later on infected.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:57 AM

Posted 10 April 2015 - 07:06 PM

So I guess it won't apply in his situation because it sounds like he's talking about a bundled installer.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 10 April 2015 - 07:18 PM

...it sounds like he's talking about a bundled installer.


From the link in his first posting...This relates indirectly to my earlier post suggesting the adoption of a clean installation of Irfanview on the Bleeping downloads section.

When I say 'clean download', I am refering to the software's notoriety for coming bundled with bADwarez of all description


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:57 AM

Posted 10 April 2015 - 07:20 PM

Yes exactly. So in that case, scanning the bundled installer against an Antivirus wouldn't do the trick. However ... extracting the content of the installer (depends if it's a .exe or .msi) could work since you could grab only the installer for the program itself. But that doesn't work with every installers sadly. It works for drivers ones as far as I know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 11 April 2015 - 08:16 AM

It will never work in his case, because of his condition:

 

  • However, no mal/adware was able to be detected on the .exe file upon preemtive scan by several reputable anti-malware applications.(i.e., the bug has itself very well hidden in the install file. Even though it is fairly easy to detect kill [with the right weapons] once it is out, it seems to have been clevery embedded in the .exe file containing the desired software.) 

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:57 AM

Posted 11 April 2015 - 08:20 AM

Well I guess it would work if he was to submit the .exe (sample) to an Antivirus company so they can add it to their definitions. Or if he uploads it on VirusTotal, they're going to obtain the sample eventually.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 12 April 2015 - 05:47 AM

Then it will be detected. But I doubt that AV companies will include cleaning instructions to the signature, as it is not a file-infector.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 12 April 2015 - 06:33 AM

Keep in mind that in many cases the infected files cannot be disinfected properly by your anti-virus due to flaws and bugs in the viral code. When disinfection is attempted, the files become corrupted and the system may become irreparable. Some file infectors will create non-functional files that also contain the virus so it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users